As we are all aware, unsolicited and unwanted e-mail, commonly referred to as “spam e-mail”, is becoming a very significant annoyance and overall problem for all who use e-mail. More recently, there has also been a rise of broadcasting of unsolicited electronic messages to handheld communication devices, such as broadcasting short text messages to cell phones, or broadcasting instant pop-up messages to personal computers running certain operating systems, or broadcasting digitized phone messages, or voice mail, to users of Voice over Internet Protocol (VoIP) technologies. Spammers, i.e., those who indiscriminately broadcast spam messages to a large number of recipients, flood the Internet with all kinds of advertisements and solicitations that most people would prefer not to see or hear. It is generally estimated that spammers send out bulk mailings that are typically in the billions of messages per day. Estimates indicate that most e-mail traffic, and a considerable percentage of total Internet traffic, is spam.
Spammers typically find recipient network addresses, such as e-mail addresses, by buying e-mail lists, by scouring web pages for e-mail addresses (in some instances, an e-mail address posted on a web site receives spam e-mail within a few minutes of posting), and by probing for likely addresses by attaching likely user names to registered domain names. Spammers may also scan mailing lists, and can theoretically scan all e-mail or similar Internet traffic that passes through their servers to harvest valid user network addresses therein.
Various solutions have been devised to fight spam. What follows merely highlights some of the difficulties these methods face in fighting spam e-mail, though they also apply to fighting other forms of spam.
Spam is fought today mainly by use of filters. Filters scan sender network address, subject line and content, looking for telltale signs of spam. Spammers often obtain new, legitimate, publicly available but cheap network addresses to avoid getting caught by sender address filters, at least for a while. Spammers often also spoof sender addresses, by falsely using, for example, an e-mail address of somebody else whose e-mail address is likely to be on the white list of spam e-mail filters. Spoofing e-mail addresses can create headaches for those whose addresses are spoofed because they may get flooded with angry responses from recipients of spam e-mail, or filters may start to block their genuine e-mail messages.
Filtering based on subject line and content is generally effective only for a short time as spammers have been able to devise countermeasures to bypass such filters. For example, some filters look for certain words that are considered appearing most likely only in spam e-mail and attempt to detect them. Spammers react to these filters by changing the words that are commonly scanned by the filters, or spelling these words in different incorrect ways that are human readable, but random enough so that filters cannot keep up with the variations. On the other hand, such filters occasionally will capture legitimate e-mail messages. Other kinds of filters try to detect good e-mail messages by searching for words that do not occur in typical spam e-mail. Spammers have managed to bypass this kind of filters by appending random words to spam e-mail. Therefore, these kinds of filters need constant revision, as spammers try to bypass them. Today, most filters may let as high as about 10% of spam e-mail through, and still occasionally block legitimate e-mail messages.
Phishing is another application of identity spoofing, wherein the sender address of e-mail is forged. The phisher sends out an e-mail, usually as a broadcast like spam, alleging to originate from legitimate authority such as a bank. The e-mail message requests recipients to take some action, such as to log on to a web site and enter an online banking password. This web site is usually an illegitimate imitation of the genuine site of identical appearance and very similar web address. The recipients may be tricked and blithely enter the online banking password and account number into the site as requested. Phishers can in this way gather account numbers and matching passwords, which then allow them to control victims' online accounts and clean out their bank deposits. Even if only 1% of recipients respond, the phishers can cause significant financial damages.
Phishing can also take the form of asking recipients to respond with e-mails, at which point the recipients enter a dialogue in which they are instructed to deposit money into certain accounts, often of some alleged African prince attempting to get some fortune out of his country in a promised exchange for an award millions of dollars for the recipients that the recipients will never see. Another form of phishing is to send a virus executable with some spoofed identity of somebody who appears trustworthy, such as a colleague.
Phishing tends to be harder than spam to fight with filters that scan sender address and message content. One reason is the identity spoofing. Phishers may also attempt to match subject line and content of their e-mail as closely as possible to legitimate e-mail, whereas most the advertising content of most spam e-mail gives it away immediately.
Communication by electronic means is not likely to go away soon. Instead, its importance is likely to increase and more and more types of data, from text to graphics to audio or video data, may be transferred and communicated to recipients in electronic form. While this may provide convenience to correspondents, it also provides opportunities to spammers to expand their spam activities. Lost productivity and cost associated with processing, reviewing and deleting spam messages is generally regarded to be unacceptably large. If spammers' and phishers' capabilities to bypass conventional filters increase or if their use of identity spoofing increases, more powerful filters than today's reactive filters may be needed. If spammers and phishers are able to increase their bypass rates against conventional filters to significantly more than 10%, stronger filters will be especially desirable.
Cryptographic techniques are available for delivering encrypted and authenticated electronic messages. Today's cryptographic algorithms generally are deemed unbreakable. This can be used to secure network traffic, including e-mail, protecting it from modification, from forgery and from eavesdropping. Traditionally, however, cryptography has been used to protect high value traffic, such as financial transactions or financial data. Internet Engineering Task Force (IETF) has developed the S/MIME (Secure Multipurpose Internet Message Extensions) protocol that can be used to secure e-mail or data transferred using e-mail. Exclusive use of S/MIME would help prevent spam or phishing e-mail, however, it could also prevent certain normal business-to-business communications.
One of the problems with securing e-mail, and one reason it is not yet prevalent today, relates to the inconvenience of today's public key infrastructure (PKI). Typical e-mail users generally consider it difficult to obtain a public key certificate because the process of registering a certificate with a certification authority (CA) is typically considered expensive and complex. Further, S/MIME has the drawback of interoperability—it uses digital certificates that must be signed by a root authority. PGP is another technique that basically delivers the same functionality as S/MIME and has similar limitations.
An alternative to a full PKI is for users to issue themselves self-signed certificates. From security standpoint, this is not completely ideal. In the context of e-mail, it is possible for users to register each other's certificates without the intervention of the CA, and usually this is sufficient. However, when making new acquaintances, the onus is on user to determine if the certificate is legitimate. For example, anyone could generate a self-signed certificate in the name of some well-known celebrity. The user would have to determine, without the aid of the certification authority (CA), whether this e-mail indeed corresponds to the celebrity. This is a limitation of not using a full PKI.
It is an object of the present invention to mitigate or obviate at least one of the above mentioned disadvantages.